A law blog addressing the foci of 3 intrepid law geeks, specializing in their respective fields of knowledge management, internet marketing and library sciences, melding together to form the Dynamic Trio.

Pages

9/8/09

Coming on the heels of our Gmail Waives Privilege dialogue, I came across even further evidence of the dangers of using free email systems like Gmail. As reported in the Washington Post and published by the Houston Chronicle, for only $100 you can buy the password to a any freemail account. The article explains how a 'woman scorned' contacted YourHackerz.com and was able to purchase the password to her "married boyfriend's" AOL email account. She followed that up by securing the passwords to people he emailed who used similar accounts.
We at 3 Geeks are aware that a number of state bars have opined that email has a reasonable expectation of privacy and as such is ethical to use when transmitting confidential client information. In part, the reasonable expectation comes about since it is illegal to intercept email. However, the article points out:

Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.

Wow ... a misdemeanor.

The feds usually don't have the resources to investigate and prosecute misdemeanors, Kerr said. And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.

Ethics issues aside (which still need to catch up with reality) lawyers should have their eyes VERY wide open when using these email services. In addition to email being inherently insecure, hacking freemail accounts is now as easy as buying a book on Amazon. As we've noted previously, the higher duty of care lawyers hold demands a higher level of practice.

2
comments:

The problem with this stringent position on free mail services is that they fail to account for the other end of the communication: the client. Even if a lawyer uses secure or encrypted email, there's no guarantee that a client will do so and indeed, if the client is using a public machine or portal, he or she may not be able to. I know that there are also ways to communicate securely through client portals and the like, but in my experience, clients simply prefer the fluidity of email (and I deal with fairly sophisticated, computer savvy clients). Until I see actual statistics on the risk of disclosure through free email as opposed to other forms of communication, I am willing to sacrifice security for enhanced communication with my clients. If I have to face an ethics violation, I'd rather take the chance on violating privilege than, for example, being subject to a court sanction because I didn't disclose discovery documents because my client didn't want to go through the trouble of sending it to me through a portal or had important information that he wanted to convey but it was too much of a hassle to log in to a portal to ask a question about the information's importance.

Free - equates with low security. I suggest lawyers should be paying (and its not that much) to achieve a higher level of security. In this instance, the hacking services aren't aimed at private email services. I have a private email account on a domain I own that costs $50 per year. This small step takes me off this hacking vulnerability and still allows the same level of communications.

Client Use - In the Sengart case mentioned in my Gmail Part Deux post, if the client's lawyer was emailing the client during work hours about about a case against the employer, he or she should have put some thought into how and where the client was accessing the information. A lawyer sending hard-copy documents on a case like this to the employer's address would raise ethical red flags.

Again - I suggest that lawyers need to be aware of the risks and spend a little money to move to more secure tools. I would add they also have a duty to communicate with the client about the client's use of email and the risks involved on their end.